CORS
Cross-Origin Resource Sharing (CORS) lets browser-based clients on one domain access objects in your Filebase bucket on another domain. Without a CORS configuration, browsers refuse cross-origin reads and uploads.
Filebase implements the same CORS configuration API as AWS S3 — same operations, same XML/JSON schema.
Supported operations
| Operation | Description |
|---|---|
GetBucketCors | Read the current CORS configuration. |
PutBucketCors | Set or update the CORS configuration. |
DeleteBucketCors | Remove the CORS configuration. |
CORS rule schema
A CORS configuration is an array of rules. Each rule specifies:
| Field | Required | Description |
|---|---|---|
AllowedMethods | yes | HTTP methods to allow: GET, PUT, POST, DELETE, HEAD. |
AllowedOrigins | yes | Origins (full URL or *) allowed to make requests. |
AllowedHeaders | no | Request headers the browser may send. Use * to allow any. |
ExposeHeaders | no | Response headers exposed to the browser. |
MaxAgeSeconds | no | How long the browser may cache the preflight response. |
A simple read-only policy
Allow browsers from any origin to GET objects in this bucket:
{
"CORSRules": [
{
"AllowedMethods": ["GET"],
"AllowedOrigins": ["*"],
"AllowedHeaders": [],
"ExposeHeaders": []
}
]
}
Apply with the AWS CLI:
aws --endpoint https://s3.filebase.io s3api put-bucket-cors \
--bucket my-bucket \
--cors-configuration file://cors.json
A SPA with browser uploads
Allow your single-page app at https://app.example.com to upload files via a pre-signed URL:
{
"CORSRules": [
{
"AllowedMethods": ["GET", "PUT", "POST", "HEAD"],
"AllowedOrigins": ["https://app.example.com"],
"AllowedHeaders": ["*"],
"ExposeHeaders": ["ETag", "x-amz-request-id"],
"MaxAgeSeconds": 3000
}
]
}
Apply the same way:
aws --endpoint https://s3.filebase.io s3api put-bucket-cors \
--bucket uploads \
--cors-configuration file://cors.json
Verify the configuration
aws --endpoint https://s3.filebase.io s3api get-bucket-cors --bucket uploads
Returns the active CORS rules in JSON. To remove all CORS rules:
aws --endpoint https://s3.filebase.io s3api delete-bucket-cors --bucket uploads
XML format
Filebase also accepts the legacy XML format used by some older tools:
<CORSConfiguration>
<CORSRule>
<AllowedOrigin>https://app.example.com</AllowedOrigin>
<AllowedMethod>GET</AllowedMethod>
<AllowedMethod>PUT</AllowedMethod>
<AllowedMethod>POST</AllowedMethod>
<AllowedHeader>*</AllowedHeader>
<ExposeHeader>ETag</ExposeHeader>
<MaxAgeSeconds>3000</MaxAgeSeconds>
</CORSRule>
</CORSConfiguration>
The AWS CLI uses JSON, so most users only encounter the XML form when integrating with older S3 tooling.
Tips
- List all the methods you'll use. A CORS policy that allows only
GETblocks browser uploads, even if the URL is pre-signed. ListPUT(andPOSTfor multipart browser uploads) explicitly. - List
ETaginExposeHeadersif your app reads it fromfetchresponses (it's not in the default exposed set). - Use specific origins in production.
*is fine for genuinely public assets; for application-specific buckets, restrict to your domains. - Cache preflights aggressively with
MaxAgeSeconds— values of 3,000 (50 minutes) or 86,400 (1 day) are reasonable.
What's next
- Configure CORS for a SPA — complete walkthrough including the SPA-side fetch
- Pre-signed URLs
- Browser uploads recipe